Astra's Privacy Policy

Astra, Inc. (“Astra” “we” “us” “our”) is committed to protecting and respecting your privacy. We understand that keeping your financial and personal information secure and confidential is critical to earning and keeping your trust. It is important that you know that your trust is paramount to us.

This Privacy Policy describes the specific policies and procedures we use to collect, use, disclose, and share with others personal information we collect from you and about you through our website located at www.astra.finance or through our web-based or mobile applications (collectively, the “Site”) and any related services. We take these policies and procedures seriously.

In this Privacy Policy, the term “Personal Information” means information that relates to an identified or identifiable natural person and, where applicable, a household. By accessing or using the Site, you agree to be bound by the terms and conditions of this Privacy Policy and Astra’s Terms of Service (into which this Privacy Policy is incorporated by reference), as they may be amended from time to time in the future.

To offer the Site, we use information you provide to us, information that we collect automatically when you use or access the Site, or that we collect from you and your financial accounts as you use our Site.

Information you provide to us

To access our services through the Site, you are required to sign up for an account. When you sign up for an account, we may ask you to provide us with Personal Information about you, like your name, e-mail address, mobile phone number, or an avatar for your account.

During the account setup, you will be asked to provide certain information about you from third-party financial institutions or third-party payments providers with which you have a legally binding customer relationship (each, a “Third-Party Financial Institution”). To enable us to access your financial data with Third-Party Financial Institutions, you will need to provide (as applicable): the name of the Third-Party Financial Institution, the username or email associated with that institution, the password for your financial account, and other similar information.

We collect this information to establish a connection with your financial accounts and gain access to information and data we need to provide you with the services you request, including your bank account and routing number with that institution. We do not store your bank account and routing number in our systems.

We may also be required to verify your identity to comply with certain obligations and laws. In such an event, we will ask you to provide us with information like your name, date of birth, your social security number, images of your government-issued identification, biometric information, and mailing address. With the exception of your name and mailing address (which we will use and store in accordance with this Privacy Policy), we will not store the other information you provide in such an event after it has been used for these purposes.

Information we collect from your use of our Site or App

In addition to the information you provided when creating your account, we may collect information from you during your use of the Site. For instance, we may collect information from you about the device you use to access the Site, what operating system or internet browsing software you use for that access, and your IP address. We also may collect information about how you use our Site, including what links you may click on or whether you have visited our Site in the past and when.

When you authorize us to access information from your financial accounts with Third-Party Financial Institutions, we may also collect information about those accounts, including the balance of those accounts, what type of institution is holding the account, and what type of account is involved (i.e., checking or savings and credit or depository). We also collect information about the transactions that have taken place with that financial account, including, but not limited to, the amount of the transaction, where the transaction took place, and the time of the transaction.

Cookies and Google Analytics

We and our partners may use various technologies to collect and store information when you visit our Site. This technology may include the use of cookies or similar technology. We use these cookies and similar technology through Google Analytics to better your experience with our Site. Google Analytics is a web analysis service provided by Google. Google utilizes the data collected from our Site, through cookies and similar technology, to track and examine the use of the Site, to prepare reports on these activities and share them with us. We use these cookies and the Google Analytics information to improve the delivery and performance of our Site by:

• better understanding how you use our Site;
• detecting and defending against fraud and other security risks; and
• better presenting advertisements, products, and/or services of interest to you.

To learn more about how Google Analytics collects and processes data, please visit “How Google uses data when you use our partners’ sites or apps”, located at www.google.com/policies/privacy/partners/.

We use the information we collect for a variety of purposes, including:

• Providing the Site and all related services to you;
• Improving the Site and all related services, as well as to research and develop new services, determine customer demand for new or improved services, and specifically tailoring or customizing our services for you and other customers;
• Communicating with you regarding your account, changes to the Site or services we provide, and promotional material about new services or products we may be offering;
• Responding to requests or inquiries from you;
• Providing customer support or technical assistance;
• Creating or administering your account, including identifying you with your account;
• Billing you, as applicable;
• Maintaining the Site, including by ensuring compatibility with software and hardware you or our customers typically use;
• Securing the Site and our systems and networks, and protecting your information and data; and
• Disclosing to others in accordance with this Privacy Policy.

In addition to the above, we may use Personal Information about your transactions (including their amount, where they take place, and when they occurred) (“Transaction Information”) to provide you with summaries, reports, or trends regarding your spending, including information on the categories or frequency of purchases. We may use your Transaction Information to help show you trends in your spending, to predict future spending, or to highlight opportunities for savings. We may use Transaction Information to highlight unusual spending trends – like spending associated with a business trip/vacation or major purchases – to improve your record keeping and budgeting. We may use your Transaction Information to show you the way such transactions may have affected your financial goals.

We do not disclose your personal or financial information to companies, organizations, or individuals outside of Astra, subject to the following exceptions.

Information Disclosed to Vendors in Order to Provide our Services

We may share your Personal Information to the extent necessary to provide the Site and services. This includes, but is not limited to, updating, securing, and troubleshooting, as well as providing support. Some examples of entities to whom we disclose information are as follows:

Plaid – As part of providing you with the Site and related services concerning your financial accounts, we work with a partner, Plaid Technologies, Inc. (“Plaid”), who is also authorized to access financial accounts. We use Plaid to gather your data from financial institutions. By using our service, you grant us and Plaid the right, power, and authority to act on your behalf to access and transmit your Personal Information from the relevant financial institution. You agree to your Personal Information being transferred, stored, and processed by Plaid in accordance with the Plaid Privacy Policy (https://plaid.com/legal). We give Plaid the following information about your financial accounts that you provided during account setup:

• Name of the financial institution where your account is held;
• Your username;
• Your email address; and
• Password for that financial account.

Plaid receives this information and establishes a connection to those financial accounts. Once the connection is established, we delete the financial account information from our system.

Dwolla – As indicated in our Terms of Service, we also work with Dwolla to provide an account for your use through the Site. You agree to your Personal Information being transferred to Dwolla, and being stored and processed by Dwolla in accordance with the Dwolla Terms of Service and the Dwolla Privacy Policy. Please refer to those documents for more complete information about how Dwolla collects, uses, and discloses information about you.

Google Analytics – As indicated above, we also provide information regarding your use of our Site, or clicks on links to other sites on our Site, to Google Analytics.

Persona – In certain circumstances, we may share your Personal Information with vendors who help us verify your identity by performing biometric analysis to help us verify your identity and detect and prevent fraud. We use Persona to perform identity verification through facial geometry analysis.

Additionally, we may provide access to your information to other third-party vendors who may be assisting us with the operation, maintenance, or security of our Site.

Information Disclosed to our Service Providers

We also share Personal Information with our Essential Service Providers as necessary to provide the Site and the services to you. For example, we use Google Cloud Platform (GCP) as a cloud server provider, and as such we necessarily share Personal Information with GCP. Information shared with such essential service providers is strictly limited to the purposes of providing the Site and the services to you. These Service Providers may be located in a country whose data protection legislation is different from your country, and they will have access to your Personal Information as necessary to perform their functions, but they may not share that Personal Information with any other third party or use that data for any other purpose.

Information Disclosed in Connection with Business Transactions

We may disclose Personal Information to a third party in the event of reorganization, merger, sale, joint venture, assignment, transfer, or other disposition of all or any of our business, assets, or stock, including in connection with bankruptcy or similar proceedings.

Information Disclosed for Our Protection and the Protection of Others

We may disclose your Personal Information if legally required to do so, pursuant to a request from a governmental entity, or if we believe in good faith – after considering your privacy interests and other factors – that such action is necessary to:

• Comply with legal process or requirements, including notification obligations;
• Respond to requests from public and government authorities or regulators (including those outside your country of residence);
• Enforce our contractual rights and comply with our contractual agreements;
• Protect the rights, privacy, safety, or property of you, Astra, and others; and
• Stop any activity that we consider illegal, unethical, or legally actionable.

Information Disclosed to Others in Accordance with Your Preferences

We may disclose Personal Information to third parties if you consent to such disclosure.

Our Site may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for their policies. Please check these policies before you submit any personal data to these websites.

We attempt to provide you with accurate information about your financial accounts. To do so, we need accurate information from you about yourself and those accounts. If you find that information we have about you is outdated, missing, or incorrect, we would ask that you notify us at [email protected] of these errors so that they can be addressed. We may ask you to verify your identity before we act on any request to change your information. We may also reject requests that are unreasonably repetitive, require extraordinary or disproportionate technical effort or cost, risk the privacy or security of others, or would be extremely impractical.

We will retain information we collect about you for the period necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required by applicable law.

You may request your account be deleted by our support department by emailing privacy @astra.finance from the email address associated with your account, indicating “CANCEL” in the subject line of the message. After confirming you are the account owner we will remove Personal Information from our records and will only continue to retain such information as required by law.

Overview

This section of our privacy policy describes the Personal Information we collect or process about California residents in connection with our provision of certain services to our consumers, how we use, share, and protect that Personal Information, and what your rights are concerning Personal Information that we collect or process.

In this privacy notice, “Personal Information” has the same meaning as under the California Consumer Privacy Act, as amended by the California Privacy Rights Act and accompanying regulations (collectively, the “CCPA”), California Civil Code Section 1798.100 et seq.: information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal Information does not include information that has been de-identified or aggregated.

If there are any conflicts between this section and any other provision of this Privacy Policy and you are a California resident, the portion that is more protective of Personal Information shall control to the extent of such conflict. If you have any questions about this section or whether any of the following rights apply to you, please contact us at [email protected].

Personal Information We Collect and Disclose, and for What Purposes

In the past 12 months, we have collected the Personal Information discussed above in the section titled Information We Collect and have used it for the purposes described in the section titled How We Use the Information We Collect.

We have also disclosed the following Personal Information for a business purpose in the past 12 months to the following categories of entities:

Category of Personal Information Disclosed	Category of Entity to Whom Personal Information was Disclosed for a Business Purpose	Business Purpose for Such Disclosures
Personal Identifiers (e.g., name, username, ID, mailing address, Social Security Number, email address, date of birth, etc.)	Service providers; Vendors	To provide the Site and services to you; to verify your identity.
Financial Information (e.g. bank account number, routing number, etc.)	Service Providers; Vendors; Financial Institutions	To process your transactions
Service Usage, Cookies, Device, and Location Information (e.g., log-ins, device information, IP addresses, proxy server, operating system, web browser and add-ons, device identifier and features, ISP or your mobile carrier, etc.)	Service providers; Vendors	To provide website functionality and maximize your experience
Biometric Information	Service Providers; Vendors	To help us verify your identity and to help us detect and prevent fraud

Please note that some of the Personal Information we have collected and/or disclosed in the past 12 months qualifies as Sensitive Personal Information under the CCPA (i.e., Biometric information for the purpose of uniquely identifying an individual). We do not use or disclose Sensitive Personal Information for purposes other than that which is necessary and proportionate to accomplish the objectives set forth in Cal. Code Regs. tit. 11 §7027(m). Specifically, in the past 12 months, we have collected and/or disclosed the following categories of Sensitive Personal Information:

• Social Security Numbers, drivers’ licenses, state identification card information;
• Financial account information;
• Precise geolocation information;
• Biometric information for the purpose of uniquely identifying an individual.

While we do not sell Personal Information in the way the term “sell” is commonly used, we do disclose limited cookie data with our business partners in order to provide and maintain our Site. Such a disclosure may constitute a “sale” for purposes of the CCPA. We have made such disclosures in the past 12 months.

In the past 12 months, we have not “shared” Personal Information as the term is defined by the CCPA.

Your Rights

Access

You have the right to request certain information about our collection and use of your Personal Information over the past 12 months. In response, we will provide you with the following information:

• The categories of Personal Information that we have collected about you;
• The categories of sources from which that Personal Information was collected;
• The business or commercial purpose for collecting or selling your Personal Information;
• The categories of third parties with whom we have shared your Personal Information; and
• The specific pieces of Personal Information that we have collected about you.

Deletion

You have the right to request that we delete the Personal Information that we have collected about you. Under the CCPA, this right is subject to certain exceptions: for example, we may need to retain your Personal Information to provide you with the Site or certain services or complete a transaction or other action you have requested. If your deletion request is subject to one of these exceptions, we may deny your deletion request.

Correction

You have the right to request that we correct inaccurate Personal Information that we have collected about you.

Right to Opt Out of Sale or Sharing

You have the right to opt out of the sale or sharing of your Personal Information. You may do so by contacting us via one of the methods provided above or click our “do not sell or share my Personal Information” link on our Site. To our knowledge, we do not sell or share the Personal Information of minors under 16 years of age.

Right to Limit the Use of Sensitive Personal Information

As we do not use your Sensitive Personal Information for purposes other than those set forth in Cal. Code Regs. tit. 11 §7027(m), we do not provide you with a way to limit the use of your Sensitive Personal Information.

Exercising Your Rights

To exercise the rights described above, you or your Authorized Agent (defined below) must send us a request that (1) provides sufficient information to allow us to verify that you are the person about whom we have collected Personal Information, and (2) describes request in sufficient detail to allow us to understand, evaluate and respond to it. Each request that meets both of these criteria will be considered a “Valid Request.” We may not respond to requests that do not meet these criteria. We will only use Personal Information provided in a Valid Request to verify your identity and complete your request. You do not need an account to submit a Valid Request.

We will work to respond to your Valid Request within 45 days of receipt. In certain circumstances, we may require an additional 45 days to complete your request. We will not charge you a fee for making a Valid Request unless your Valid Request(s) is excessive, repetitive or manifestly unfounded. If we determine that your Valid Request warrants a fee, we will notify you of the fee and explain that decision before completing your request.

You may submit a Valid Request by emailing us at [email protected] or contacting us at (650) 485-3965.

You may also authorize an agent (an “Authorized Agent”) to exercise your rights on your behalf. To do this, you must provide your Authorized Agent with written permission to exercise your rights on your behalf, and we may request a copy of this written permission from your Authorized Agent when they make a request on your behalf.

We Will Not Discriminate Against You for Exercising Your Rights Under the CCPA

We will not discriminate against you for exercising your rights under the CCPA. We will not deny you our goods or services, charge you different prices or rates, or provide you a lower quality of goods and services if you exercise your rights under the CCPA. However, we may offer different tiers of our services as allowed by applicable data privacy laws (including the CCPA) with varying prices, rates, or levels of quality of the goods or services you receive to the extent that that difference is related to the value of Personal Information that we receive from you.

California Do Not Track Disclosures

Do Not Track. Astra does not track its users over time and across third-party websites and therefore we do not respond to Do Not Track signals. However, Astra does recognize Global Privacy Control signals where legally required. A Global Privacy Control (“GPC”) is a browser setting that a user can set in order to send a signal to each website visited regarding the user’s privacy preferences, such as not to share or sell user’s Personal Information. If your browser or browser extension has GPC enabled, our website will automatically recognize that signal and opt you out of the sale of your Personal Information. For more information about GPC and how to implement GPC opt-out preference signals, please visit Global Privacy Control.

Other California Resident Rights

Under California Civil Code Sections 1798.83-1798.84, California residents are entitled to contact us to prevent disclosure of Personal Information to third parties for such third parties’ direct marketing purposes; in order to submit such a request, please contact us at [email protected]. Astra does not disclose Personal Information to third parties for such third parties’ direct marketing purposes.

Nevada Resident Rights

If you are a resident of Nevada, you have the right to opt-out of the sale of certain Personal Information to third parties who intend to license or sell that Personal Information. You can exercise this right by contacting us at [email protected], however Astra does not sell Personal Information.

Security

We are committed to protecting Astra and our users from unauthorized access to, or unauthorized alteration, disclosure, or destruction of, information we may possess. To provide for the security of information in our possession, we implement reasonable technical, physical, and administrative safeguards. These safeguards may include, but are not limited to:

• Encrypting Personal Information in our possession;
• Offering or requiring multi-step authentication when you access your account;
• Reviewing our Personal Information collection, storage, and processing practices, including physical security measures, to guard against unauthorized access; and
• Restricting access to personal or financial information to Astra employees, contractors, partners, or agents who need to know that information in order to process it for us and are subject to confidentiality obligations.

However, please not that no method of transmitting information over the internet is 100% secure and we therefore cannot guarantee the absolute safety of the Personal Information we maintain.

We may revise this Privacy Policy from time to time in our sole discretion. In the event of a material change, we will post the updated Privacy Policy on this page and update the date at the top of this page. Your use of the Site following these changes means that you accept the revised Privacy Policy. If you do not wish to accept the revised Privacy Policy, your sole recourse is to terminate your account.

Questions about our Privacy Policy or our privacy practices can be sent to [email protected].

This Privacy Notice (“Notice”) applies to individuals who reside in the states of Colorado, Virginia, Utah, Iowa, Indiana, Tennessee, and Connecticut. This Notice describes your rights pursuant to the Colorado Privacy Act, Virginia Consumer Data Protection Act, the Indiana Consumer Data Protection Act, the Iowa Consumer Data Protection Act, the Tennessee Information Protection Act, the Utah Consumer Privacy Act, and the Connecticut Data Privacy Act (the “Applicable Laws”). Capitalized terms used but not defined in this Notice have the meaning assigned to them by the Applicable Laws.

This section provides additional details regarding the Personal Information that we collect or process about residents of the aforementioned states. For the purpose of this section, “Personal Information” means any information that is linked or reasonably linkable to an identified or identifiable natural person.

In the last 12 months, we have not sold your Personal Information, used such information for Targeted Advertising, or used Personal Information to profile in furtherance of decisions that produce legal or similarly significant effects concerning you as such terms are defined by the Applicable Laws.

Collection of Sensitive Personal Information

Please note that some of the information we collect may constitute sensitive information for purposes of the Applicable Laws. To the extent required by the Applicable Laws, we will not process such sensitive information without your prior consent.

Disclosure of Personal Information to Third Parties

To learn how we disclose your information to third parties, please visit the section titled “Information we Share with Others” above. All categories of Personal Information discussed may be disclosed to third parties (e.g., service providers, our affiliates, etc.).

Your Rights

Under the Applicable Laws, users who are residents of these states have specific rights regarding their Personal Information subject to certain exceptions. When required, we will respond to most requests within 45 days unless it is reasonably necessary to extend the response time. Subject to certain limitations, you have the following rights:

Colorado, Indiana, Connecticut, Tennessee, Virginia, Iowa, and Utah:

• Right of access: You have the right to confirm whether we process your
• Personal Information and request access to such Personal Information.
• Right to Deletion: You have the right to request that we delete the Personal Information we have collected about you.
• Right to Data Portability: You have the right to request that we provide you with your Personal Information in a portable format.
• The Right to Opt Out: You have the right to opt out of:
  • Connecticut, Colorado, Virginia, Indiana, Tennessee Utah:
    • Targeted advertising;
    • The sale of your Personal Information; and
    • Profiling in furtherance of decisions that produce legal or similarly significant effects.
  • Iowa:
    • The sale of your Personal Information as such term is defined by the Iowa Consumer Data Protection Act.

Colorado, Indiana, Connecticut, Tennessee, and Virginia only:

• Right to Correction: You have the right to correct inaccuracies in your Personal Information.

At this time, we do not sell your Personal Information, use your Personal Information for Targeted Advertising, or process your Personal Information for purposes of profiling in furtherance of decisions that produce legally or similarly significant effects concerning a consumer, and therefore, opt-out rights are not available.

How to Exercise Your Rights

To exercise the rights described above, please submit a verifiable consumer request to us by either:

• Calling us at: (650) 485-3965
• Email us at: [email protected]

We endeavor to respond to a verifiable consumer request within forty-five (45) days of its receipt. If we require more time (up to a total of 90 days), we will inform you of the reason and extension period in writing (which may include email). If you would like to appeal our actions in response to your verifiable consumer request, please email [email protected] from the email associated with the Astra profile and include “Appeal request” in the subject line. However, please note that you do not need to create an account to exercise this right. We may simply require additional information if you contact us from an account that is not associated with your profile.

As we do not sell your Personal Information, use such information for Targeted Advertising, or use your Personal Information to profile you in furtherance of decisions that produce legal or similarly significant effects concerning you, we do not provide you with a method to opt out.

In order to protect your privacy and the security of your information, we verify consumer requests by requesting identification documents and other documentation necessary to confirm your identity. Any additional information you provide will be used only to verify your identity and not for any other purpose.

Contact Us about this Privacy Policy

If you have any questions or comments about this Notice, the ways in which we collect and use your information described here, your choices and rights regarding such use, or if you wish to exercise your data privacy rights under the Applicable Laws, please do not hesitate to contact us at:

By Email: [email protected]
By Phone: (650) 485-3965

Authorized Agents in Colorado and Connecticut

If you want to make a request as an authorized agent on behalf of a Colorado or Connecticut resident, you may use the submission methods noted above. As part of our verification process, we may request that you provide, as applicable, proof concerning your status as an authorized agent. In addition, we may require the individual on whose behalf you are making the request to verify their own identity or your permission to submit the request.